Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/Hugal31/yara-rust

Rust bindings for VirusTotal/Yara
https://github.com/Hugal31/yara-rust

pattern-matching rust rust-bindings yara

Last synced: 9 days ago
JSON representation

Rust bindings for VirusTotal/Yara

Host: GitHub
URL: https://github.com/Hugal31/yara-rust
Owner: Hugal31
License: apache-2.0
Created: 2018-05-11T15:27:08.000Z (over 6 years ago)
Default Branch: master
Last Pushed: 2024-09-26T07:59:40.000Z (about 2 months ago)
Last Synced: 2024-10-31T11:40:52.386Z (12 days ago)
Topics: pattern-matching, rust, rust-bindings, yara
Language: Rust
Size: 693 KB
Stars: 77
Watchers: 8
Forks: 28
Open Issues: 13
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE-APACHE

Awesome Lists containing this project

awesome-rust-security - yara-rust - Rust bindings to YARA (Threat Detection and Forensics / Packing, Obfuscation, Encryption, Anti-analysis)

README

        # yara-rust

[![Tests Status](https://github.com/Hugal31/yara-rust/actions/workflows/tests.yml/badge.svg)](https://github.com/Hugal31/yara-rust/actions/workflows/tests.yml)

[![Crates.io](https://img.shields.io/crates/v/yara.svg)](https://crates.io/crates/yara)

[![Documentation](https://docs.rs/yara/badge.svg)](https://docs.rs/yara)

Bindings for the [Yara library from VirusTotal](https://github.com/VirusTotal/yara).

More documentation can be found on [the Yara's documentation](https://yara.readthedocs.io/en/stable/index.html).

## Example

The implementation is inspired from [yara-python](https://github.com/VirusTotal/yara-python).

```rust

const RULES: &str = r#"

    rule contains_rust {

      strings:

        $rust = "rust" nocase

      condition:

        $rust

    }

"#;

fn main() {

    let compiler = Compiler::new().unwrap();

    let compiler = compiler

        .add_rules_str(RULES)

        .expect("Should have parsed rule");

    let rules = compiler

        .compile_rules()

        .expect("Should have compiled rules");

    let results = rules

        .scan_mem("I love Rust!".as_bytes(), 5)

        .expect("Should have scanned");

    assert!(results.iter().any(|r| r.identifier == "contains_rust"));

}

```

## Features

* Support from Yara v4.2.

* Compile rules from strings or files.

* Save and load compiled rules.

* Scan byte arrays (`&[u8]`) or files.

## Feature flags and Yara linking.

Look at the [yara-sys](yara-sys) crate documentation for a list of feature flags

and how to link to your Yara crate.

### TODO

- [ ] Remove some `unwrap` on string conversions (currently this crate assume the rules, meta and namespace identifier are valid Rust's `str`).

- [ ] Accept `AsRef` instead of `&str` on multiple functions.

- [x] Implement the scanner API.

- [x] Add process scanning.

- [x] Report the warnings to the user.

## License

Licensed under either of

 * Apache License, Version 2.0, ([LICENSE-APACHE](LICENSE-APACHE) or http://www.apache.org/licenses/LICENSE-2.0)

 * MIT license ([LICENSE-MIT](LICENSE-MIT) or http://opensource.org/licenses/MIT)

at your option.

## Contributing

Please follow the [conventional commit][Conventional commit] rules when

committing to this repository.

If you add any new feature, add the corresponding unit/doc tests.

[Conventional commit]: https://www.conventionalcommits.org/en/v1.0.0/